Cipher Text Translate2 (CSNBCTT2)

Edit online

This callable service deciphers encrypted data (ciphertext) under one ciphertext translation key and re-enciphers it under another ciphertext translation key without having the data appear in the clear outside the cryptographic coprocessor. Such a function is useful in a multiple node network, where sensitive data is passed through multiple nodes prior to it reaching its final destination.

Use the Cipher Text Translate2 verb to decipher text under an input key and then to encipher the text under an output key. Both AES and DES algorithms are supported. Translation between AES and DES is allowed with restrictions controlled by access control points.

The encryption modes supported are:

  • DES – CBC, CUSP and IPS
  • AES – CBC and ECB

The padding methods supported are:

  • DES – X9.23
  • AES – PKCSPAD

Scenario for using the CSNBCTT2 verb

This scenario uses the Encipher (CSNBENC), Cipher Text Translate2 (CSNBCTT2), and Decipher (CSNBDEC) callable services with four network nodes: A, B, C, and D. You want to send data from your network node A to a destination node D. You cannot communicate directly with node D, because nodes B and C are situated between A and D. You do not want nodes B and C to decipher your data.

At node A, you use the CSNBENC service. Node D uses the CSNBDEC service. Node B and C will use the CSNBCTT2 service.

Consider the keys that are needed to support this process:

  1. At your node, generate one key in two forms: OPEX CIPHER CIPHERXI.
  2. Send the exportable CIPHERXI key to node B.
  3. Node B and C need to share a key, so generate a different key in two forms: EXEX CIPHERX0 CIPHERXI.
  4. Send the exportable CIPHERX0 key to node B.
  5. Send the exportable CIPHERXI key to node C.
  6. Node C and node D need to share a CIPHERX0 key and a CIPHER key. Node D can generate one key in two forms: OPEX CIPHERX0 CIPHERXI.
  7. Node D sends the exportable CIPHERX0 key to node C.

The communication process is shown as: 


Node:         A              B                     C                 D

Service:   CSNBENC        CSNBCTT2             CSNBCTT2            CSNBDEC

Keys:      CIPHER     CIPHERXI CIPHERX0    CIPHERXI  CIPHERXI      CIPHER

Key pairs:   |____ = ____|        |____ = ____|          |____ = ____|

Therefore, you need three keys, each in two different forms. You can generate two of the keys at node A, and node D can generate the third key. Note that the key used in the decipher callable service at node D is not the same key used in the encipher callable service at node A.

Note: This verb supports PCI-HSM 2016 compliant-tagged key tokens.